Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source.
Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.
In the last year and a half the OpenChain Project has developed, published and seen adoption around the OpenChain Telco SBOM Guide. It helps define what is needed for a quality SBOM in practical supply chain use.
We just released Version 1.1 of the Guide, and you can learn more about that in our launch announcement:
The guide is supported by automation to make things more scalable. This matters for saving time, saving money and enabling sustainability. We started the automation journey around SBOM quality management with a validator for the OpenChain Telco SBOM Guide contributed by Nokia:
This week SCANOSS announced their automation support for the OpenChain Telco SBOM Guide, the first commercial tooling provider formally aligning with our work on SBOM quality. You can get all the details on the SCANOSS blog post dedicated to this development.
“The OpenChain Telco SBOM Guide does a remarkable job in providing to the industry a shared direction,” said Julian Coccia, CTO at SCANOSS. “It represents an outstanding complement to the OpenChain 2.1, ISO/IEC 5230:2020 that provides a simple, clear and effective process management standard for open source license compliance. By integrating support to the schema described in this Guide directly into our tools, SCANOSS makes it easy for organizations to adopt these guidelines efficiently.”
Community Credits
Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.
Naturally we also want to extend our thanks to Julian and the rest of the SCANOSS team for their adoption and support of the OpenChain Telco SBOM Guide.
Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.
And… a big thank you to all of the Nokia team who have created and supported this validator!
Get the guide in Chinese (Traditional), English, French and Japanese
Get the validator
Learn how to get involved in future development
What is this Guide?
The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs.
Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.
This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”
Want more context? We delivered a presentation at FOSDEM:
Updates from Version 1.0 to Version 1.1 of the Guide:
The following updates were made in version 1.1:
Both PackageChecksum and PackageVerificationCode are allowed as package hash.
The package hash is RECOMMENDED instead of MANDATORY.
ExternalRef is RECOMMENDED instead of MANDATORY.
FilesAnalyzed is no longer MANDATORY.
Examples are provided for the CISA SBOM Types.
A RECOMMENDED syntax is given for CISA SBOM Types.
sbomasm is a better example of SBOM merge tool.
Add reference to new CISA document.
An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.
Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.
The OpenChain Telco Work Group has released an updated OpenChain Telco SBOM Guide Validator to support Version 1.1 of the Telco SBOM Guide. The guide is an industry-specific but easily adaptable guide to addressing SBOM quality in the supply chain. The validator allows you to automate checks of conformance to the guide.
Learn more about the updated validator in the latest meeting below.
Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.
We held our regular workshop for the OpenChain AI Work Group on May 6th. During this meeting some important decisions were made. The Work Group attendees agreed that initial drafting on the AI SBOM Compliance Guide is now substantially complete, and there will be two next steps:
The work will be taken to the OpenChain Governing Board Q2 meeting (25th June) for formal approval to start a public comment period.
If approval is given, the guide will go into a six week public comment period, and after that period will move into a publication process.
You can follow and contribute to the work of the OpenChain AI Work Group through its dedicated mailing list. This is open to everyone regardless of industry vertical or speciality. You will find it here:
View the original version of this article on LinkedIn
An introduction from Shane Coughlan, General Manager at OpenChain Project:
Our colleagues over at Software Heritage have long worked towards creating a universal archive of all software. Part of this work relates to identifying software effectively, and to accomplish this they developed the SoftWare Hash IDentifier specification, which has now been released an international standard. You will find it as ISO/IEC 18670 via the ISO website.
Because of the potential of this new standard to positively impact the global open source supply chain, and to help address compliance matters of all types, we want to ensure our community is fully aware of the release, its meaning, and how to learn more.
A few words from Roberto Di Cosmo, Director at Software Heritage:
A major milestone has been reached in the landscape of digital infrastructure: the Software Hash Identifier (SWHID) has officially been published on April 23rd 2025 as the ISO/IEC international standard 18670! 🎉 🔗 Official ISO Listing 📘 Free Public Specification
A Universal Identifier for Software
Inspired by well established practice in distributed software development, almost ten years ago Software Heritage created a “Software Heritage Identifier” that is used in its archive to track over 50 billion software artifact. Today, this identifier schema has now grown into a globally recognized, community-driven standard. Rebranded as the Software Hash Identifier, SWHID is designed for universal adoption across archives, regulatory frameworks, research, industry, and beyond.
This name shift reflects a deeper transformation: from an internal archival tool to a public digital infrastructure for all—a way to uniquely and verifiably reference software artifacts across contexts and borders.
Why It Matters
Software is at the core of innovation, but referencing it reliably has always been a challenge. SWHID addresses this by offering:
🧾 Intrinsic, verifiable, and immutable identifiers
🔍 Long-term traceability of code, even if moved or renamed
📚 Reproducibility in science and industry
🛡️ Support for compliance and cybersecurity regulation
With the adoption of ISO/IEC 18670, we now have a globally accepted framework for identifying software—just as we have ISBNs for books or DOIs for papers.
Community at the Core
This success is the result of years of collaboration within the broader software preservation and cybersecurity community. The journey included:
A dedicated core team dedicated to the maintenance of the specification
This is a shared major acheivement—for everyone committed to making software a first-class, preservable, and referenceable citizen of our digital ecosystem.
SWHID in Action: Strengthening Cybersecurity
Software traceability is increasingly critical to regulatory compliance and cyber resilience. Our recent whitepaper outlines how SWHIDs contribute to this vision:
This work supports efforts like the EU’s Cyber Resilience Act by providing a concrete, open standard for identifying software components.
SWHID in Action: Enabling Reproducibility in Open Science
In scientific research, reproducibility depends on more than just data—it relies on exactly replicating the software used in analyses. SWHIDs provide a rock-solid way to archive and reference the precise version of code used in experiments.
Explore the guidelines on how to archive and cite software with SWHID to support reproducible science: 🔗 How to archive and reference code
As AI systems become increasingly influential, the demand for transparency in the data and software used to train them is growing. SWHIDs offer a solution by enabling verifiable references to source code, contributing to more accountable and auditable AI.
The SWHID journey doesn’t end here. Now that it’s an international standard, we invite everyone—developers, educators, researchers, policy makers—to adopt it, build on it, and share it.
✅ Explore the spec on swhid.org or in the 🔗 Official ISO Listing 🌐 Visit the official site: swhid.org 📬 Include it in your toolchains and supply chain policy
Together, we’ve transformed a powerful idea into a global asset. Here’s to a future where all software is identifiable, referenceable, and preserved.
The OpenChain Project took part in the fourth Software Heritage Community Workshop, held in Paris on January 30, 2025.
This poster highlights some of the outcomes from our collaborative workgroup, where a diverse range of stakeholders (OpenChain / CERN / Software Heritage / Academia) discussed how to measure impact when we extract knowledge from software assets:
What is Software Heritage? It is an international non-profit infrastructure supported by UNESCO and Inria, collects, preserves, and shares all software source code for industry, research, culture, and society. They recently released ISO/IEC 18670, which specifies the identifier used to ensure all software, everywhere, can be tracked.
Open source software providers are facing a triple threat: tightening US and EU regulations, rising IP litigation, and the risks introduced by Gen AI. Soon, your board—and your customers and suppliers— might be asking that you have specific insurance that actually covers OSS-related liabilities. But, does such insurance exist? Does it work? And how should it work?
Historically, insurers have struggled to grasp OSS risks, offering inadequate or unclear coverage. Now, a new wave of insurance solutions is emerging, informed by OpenChain standards and best practices.
Watch the Webinar:
More About Our Webinars:
This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.
The OpenChain Telco Work Group has released Version 1.1 of the Telco SBOM Guide, an industry-specific but easily adaptable guide to addressing SBOM quality in the supply chain. Learn more about the release and what it means in their latest meeting.
Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.
As always, we focused on the question of “how do we use SBOMs in production, large-scale and complex supply chains?” We are dealing with the reality of supply chains with many participants who have different levels of skill, use different formats, and perhaps follow different regulations or policies.
In this meeting, we looked at the question of how someone could approach building a cross-industry, cross-format guide to SBOM Quality. The mental model was “how would we use the Telco SBOM Quality Guide as a starting point,” and our Japanese sub-group prepared a proof-of-concept.
Learn More About This Study Group:
Our SBOM Study Group brings all our various SBOM-related activities together and helps answer the question of “how do we use SBOMs in production, large-scale and complex supply chains?” Our original kick-off call has all the details.
Get Involved:
Everyone is welcome to be part of this study group! OpenChain has free, open access to all its work groups and study groups. Just turn up, and listen in, and contribute comments, ideas and suggestions.
